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1 Developing a natural language interface to complex data 

Gary G. Hendrix, Earl D. Sacerdoti, Daniel Sagalowicz, Jonathan Slocum 



June 1978 ACM Transactions on Database Systems (TODS), volume 3 issue 2 

Additional Information: full citation , abstract , references , citings , index 
terms 



Full text available: ■g pdf(3.13 MB) 



Aspects of an intelligent interface that provides natural language access to a large body of 
data distributed over a computer network are described. The overall system architecture is 
presented, showing how a user is buffered from the actual database management systems 
(DBMSs) by three layers of insulating components. These layers operate in series to convert 
natural language queries into calls to DBMSs at remote sites. Attention is then focused on 
the first of the insulating components, th ... 

Keywords: database access, human engineering, intelligent interface, natural language, 
run-time personalization, semantic grammar 



2 Ex plicit allocation of best-effort packet delivery service 
David D. Clark, Wenjia Fang 

August 1998 IEEE/ACM Transactions on Networking (TON), volume 6 issue 4 

Full text available: ^ pdf(208.85 KB) Additional Information: full citation , references , citings , index terms 



Keywords: Internet protocol, TCP, packet networks, quality of service, rate control 



3 Optimizing TCP forwarder performance 

Oliver Spatscheck, J0rgen S. Hansen, John H. Hartman, Larry L. Peterson 
April 2000 IEEE/ACM Transactions on Networking (TON), volume 8 issue 2 
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4 Building a Wireless Nework with Linux 
Billy Ball 

May 2000 Linux J urnal 

Full text available: jjg) html(12.49 KB) Additional Information: full citation , abstract , references , index terms 

Want your laptop and PC to talk to each other without having to deal with wires? Here's 
how. 

5 Eliminating array bound checking through dependent types 
Hongwei Xi, Frank Pfenning 

May 1998 ACM SIGPLAN Notices , Proceedings of the ACM SIGPLAN 1998 conference 
on Programming language design and implementation, Volume 33 issue 5 

Full text available- IS) odfd 07 MB) Additional Information: full citation , abstract , references , citings , index 
U V ' ■TH-G— L-= terms 

We present a type-based approach to eliminating array bound checking and list tag checking 
by conservatively extending Standard ML with a restricted form of dependent types. This 
enables the programmer to capture more invariants through types while type-checking 
remains decidable in theory and can still be performed efficiently in practice. We illustrate 
our approach through concrete examples and present the result of our preliminary 
experiments which support support the feasibility and effectiv ... 

6 A scalable comparison-shopping agent for the World-Wide Web 
Robert B. Doorenbos, Oren Etzioni, Daniel S. Weld 

February 1997 Proceedings of the first international conference on Autonomous agents 

Full text available: l || pdf(978.62 KB) Additional Information: full citation , references , citings , index terms 



7 IP Masquerading with Linux: How to enable and configure IP masquerading with Linux Q 
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Full text available: TOp df(1o4.5Q KB) 

terms 

Traditionally, models of packet arrival in communication networks have assumed either 
Poisson or compound Poisson arrival patterns. A study of a token ring local area network 
(LAN) at MIT [5] found that packet arrival followed neither of these models. Instead, traffic 
followed a more general model dubbed the "packet train," which describes network traffic as 
a collection of packet streams traveling between pairs of nodes. A packet train consists of a 
number of packets travelling ... 

9 Automated proofs of object code for a widely used microprocessor | 
Robert S. Boyer, Yuan Yu 

January 1996 Journal of the ACM (JACM), Volume 43 Issue l 

Full text available: ^| pdf(2.41 MB) Additional Information: full citation , references , citings , index terms , review 



http://portal.acm.org/results.cfm?CFID=34068 1 04&CFTOKEN=8 5 70295 7&adv= 1 &COLL . . . 1 2/1 7/04 



Results (page 1): +nat +ftp 



Page 3 of 5 



Keywords: Ada, Boyer-Moore logic, C, Common Lisp, MC68xxx, Nqthm, automated 
reasoning, formal methods, machine code, mechanical theorem proving, object code, 
program proving, program verification 



10 Sound polymorphic type inference for objects 
Jonathan Eifrig, Scott Smith, Valery Trifonov 

October 1995 ACM SIGPLAN Notices , Proceedings of the tenth annual conference on 
Object-oriented programming systems, languages, and applications, 

Volume 30 Issue 10 

Full text available- 1S)j)df(5 82 MB) Additional Information: full citation , abstract , references , citings , index 

terms 

A polymorphic, constraint-based type inference algorithm for an object-oriented language is 
defined. A generalized form of type, polymorphic recursively constrained types, are inferred. 
These types are expressive enough for typing objects, since they generalize recursive types 
and F-bounded polymorphism. The well-known tradeoff between inheritance and subtyping 
is mitigated by the type inference mechanism. Soundness and completeness of type 
inference are established. 

11 ASN.1 protocol specification for use with arbitrary encoding schemes 
Duke Tantiprasut, John Neil, Craig Farrell 

August 1997 IEEE/ACM Transactions on Networking (TON), volume 5 issue 4 

Full text available: ^ pdfd 59.77 KB) Additional Information: full citation , references , citings , index terms 



1 2 Modular logic programming 

Antonio Brogi, Paolo Mancarella, Dino Pedreschi, Franco Turini 

July 1994 ACM Transactions on Programming Languages and Systems (TOPLAS), 

Volume 16 Issue 4 

Full text available- pdf(2 41 MB) Additional Information: full citation , abstract , references , citings , index 

terms 

Modularity is a key issue in the design of modern programming languages. When designing 
modular features for declarative languages in general, and for logic programming languages 
in particular, the challenge lies in avoiding the superimposition of a complex syntactic and 
semantic structure over the simple structure of the basic language. The modular framework 
defined here for logic programming consists of a small number of operations over modules 
which are (meta-) logically defined and sema ... 

Keywords: composition operations, declarative semantics, logic programs, metalogic, 
modularity, program transformation 



13 Constraint programming and database languages: a tutorial 
Paris Kanellakis 
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January 1996 ACM Transactions on Software Engineering and Method I gy (TOSEM), 



Volume 5 Issue 1 





Good documentation is important for the production of reusable and maintainable software. 
For the production of accurate documentation it is necessary that the original program text 
is not copied manually to obtain a typeset version. Apart from being tedious, this will 
invariably introduce errors. The production of tools that support the production of legible 
and accurate documentation is a software engineering challenge in itself. We present an 
algebraic approach to the generation of tools ... 

Keywords: document preparation, program generators 

15 MPP: a framework for distributed polynomial computations Q 
Olaf Bachmann, Hans Schdnemann, Simon Gray 

October 1996 Proceedings of the 1996 international symposium on Symbolic and 
algebraic computation 

Full text available: ^pdf(1.23 MB) Additional Information: full citation , references , citings , index terms 



16 A compiler approach to scalable concurrent-program design 
Ian Foster, Stephen Taylor 

May 1994 ACM Transactions on Programming Languages and Systems (TOPLAS), 



We describe a compilation system for the concurrent programming language Program 
Composition Notation (PCN). This notation provides a single-assignment programming 
model that permits concurrent-programming concerns such as decomposition, 
communication, synchronization, mapping, granularity, and load balancing to be addressed 
separately in a design. PCN is also extensible with programmer-defined operators, allowing 
common abstractions to be encapsulated and ... 

Keywords: monotonicity, program composition, programming abstractions, source-to- 
source transformations 



17 Harmony... on an expanding net Q 
Barry Fenn, Hermann Maurer 
October 1994 interactions, volume l issue 4 
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18 The changing nature of network traffic: scaling phenomena Q 
A. Feldmann, A. C. Gilbert, W. Willinger, T. G. Kurtz 

April 1998 ACM SIGCOMM Computer Communication Review, volume 28 issue 2 
Full text available: ^ pdf(1.80 MB) Additional Information: full citation , abstract , citings , index terms 

In this paper, we report on some preliminary results from an in-depth, wavelet-based 
analysis of a set of high-quality, packet-level traffic measurements, collected over the last 
6-7 years from a number of different wide-area networks (WANs). We first validate and 
confirm an earlier finding, originally due to Paxson and Floyd [14], that actual WAN traffic is 
consistent with statistical self-similarity for sufficiently large time scales. We then relate this 
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19 System Administration: IP Masquerading Code Follow-Up 
Chris Kostick 

November 1997 Linux J urnal 

Full text available: (j| html(20.31 KB) Additional Information: full citation , references , index terms 



20 Pen computing: a technology overview and a vision 
Andre Meyer 

July 1995 ACM SIGCHI Bulletin, Volume 27 Issue 3 

Full text available: ^ pdf(5.14 MB) Additional Information: full citation , abstract , citings , index terms 

This work gives an overview of a new technology that is attracting growing interest in public 
as well as in the computer industry itself. The visible difference from other technologies is in 
the use of a pen or pencil as the primary means of interaction between a user and a 
machine, picking up the familiar pen and paper interface metaphor. From this follows a set 
of consequences that will be analyzed and put into context with other emerging technologies 
and visions. Starting with a short historic ... 
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TEXT: 

MADISON, Wis., May 28 /PRNewswire/ - Standard Networks today released 
the 

newest version of its MOVEit DMZ secure file transfer and storage 
software, 

further lengthening that product's existing lead over so-called "secure" 
FTP 

servers . 

Other than the ability to manage authenticated, encrypted file 
transfers , 

there is nothing particularly secure about the typical "secure" FTP server. 
Such products de-encrypt and store files "in the clear, " which means your 
sensitive data can be read by anyone who hacks the server. In contrast, 

MOVEit DMZ has always re-encrypted and securely stored all the files it 
receives. MOVEit DMZ does this using its own strong, built-in, 256-bit 
key 

AES encryption. MOVEit DMZ was designed from the ground up to keep your 
files 

from being read, even if the server is hacked. 

And now the new MOVEit DMZ v. 2.2 has advanced, firewall-friendly 
security 

features that "secure" FTP servers lack. 

Network security experts agree that Passive mode FTP transfers are far 
more secure than Active mode FTP transfers. Most "secure" FTP servers 
support 

Passive mode by requiring you to open all the ports on your firewall above 
1023 -- some 64,000 open ports. This creates serious, and unnecessary, 
network security vulnerabilities. In contrast, MOVEit DMZ v. 2. 2 handles 
encrypted Passive FTP in a way that greatly minimizes security 
vulnerabilities. MOVEit DMZ can require Passive mode FTP transfers, and 
force 

the use of a specific, limited range of. open ports -- with as few as 4 
ports . 

Many organizations use NAT (network address translation) on their 
internal 

networks. Most "secure" FTP servers are unable to establish encrypted FTP 
connections with FTP clients when the server is located on a network using 
NAT. In contrast, MOVEit DMZ v. 2. 2 features a built-in NAT table that 
makes 

such transfers possible — even if the client and server are located on 
separate NAT networks -- and even if the client and server have identical 
NAT 

addresses . 

The new features in MOVEit DMZ, together with its existing secure 

file 

storage capability, support for file transfers using both standard Web 
browsers and secure FTP clients, and ability to send file arrival email 
notices to end-users, further extends MOVEit DMZ 1 s lead over so-called 
"secure" FTP servers it is sometimes mistakenly compared with. When it 
comes 

to secure file transfers, see why those in the know say " MOVEit or lose 
it . " 

For more about MOVEit DMZ, including how to request a free 
evaluation, 

visit http://www.stdnet.com/moveitdmz . 



About Standard Networks 
Standard Networks ( http://www.stdnet.com ) is a privately held 
software 

developer founded in 1989 to create high-capacity data communication and 
protocol translation products for the global financial services industry. 
The 

company has over a dozen years experience creating secure, reliable 
solutions 

and providing responsive, high-quality support for them. Other products by 
Standard Networks include : 

The MOVEit family of software products, which provide 
comprehensive, 

integrated, standards-based solutions for the secure file 
processing, 

storage, and transfer of sensitive information over the Internet. 
ActiveHEAT, which provides real-time data exchange between Web, 
Windows, and XML-capable client /server apps and legacy apps running 

on 

IBM OS/390 and AS/400 systems as well as Unisys hosts. 
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ABSTRACT 



PROBLEM TO BE SOLVED: To provide a NAT ( network address translation 
) device which is possible to perform communication of a protocol including 
information of IP addresses and port numbers such as FTP ( file 
transfer protocol ) or H.323 inside of a packet. 

SOLUTION: The NAT device positions between a device belonging to a 
private address space and a device belonging to a global address space. 
When the NAT address establishes a TCP (transmission control protocol) 
session between the device belonging to the private address space and -the 
device belonging to the global address space, it is provided with a 1st 
means which creates a mapping table for address translation corresponding 
to the private address of the device belonging to the private address space 
to an arbitrary global address in the global addresses held in the NAT 
device, a 2nd means which holds the mapping table until a constant time 
elapses from the time of completion of the TCP, and a 3rd means which 
deletes the mapping table after the predetermined time elapses. 



COPYRIGHT : (C) 2004 , JPO 
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Abstract (Basic) : US 20040193677 Al 

NOVELTY - A switch analyzes communication received from a client to 
identify client identifier of communication originating client and 
virtual service identifier associated with the intended service. The 
switch translates virtual service identifier to actual .service 
identifier of the service, translates client identifier to virtual 
source identifier, and transmits translated identifiers to server for 
intended service. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following: 

(1) method of conveying communications between client and server; 

and 

(2) communication system. 

USE - For managing network services e.g. web content, file 
transfer protocol , electronic mail, e-commerce, printing, graphics, 
audio and/or video services. 

ADVANTAGE - Since the system performs double network address 
translation , network services are selectively provided and managed by 
regulating access to the services and by balancing loads associated 
with the service. 

DESCRIPTION OF DRAWING (S) - The figure shows a flow diagram 
explaining the process of selectively managing network services, 
pp; 15 DwgNo 5/70 
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Abstract (Basic) : KR 2003034396 A 

NOVELTY - A method of processing an FTP ( File Transfer 
Protocol ) in an NAT ( Network Address Translation ) router is 
provided to independently manage an IP translation table in order to 
process the FTP packet having a TCP (Transmission Control Protocol) 
packet type, thereby improving IP translation performance. 

DETAILED DESCRIPTION - When a packet is received in an NAT 
router (S21), the NAT router analyzes an IP header of the received 
packet, and confirms whether a protocol type is a TCP type or a UDP 
type (S22, S23) . If the protocol type is the UDP type, the NAT router 
performs a general UDP packet processing by using a UDP translation 
table (S24). If the type is the TCP type, the NAT router analyzes a 



destination port number of a TCP header, and confirms whether the 
number is a TCP packet or an FTP packet (S25 , S2 6) . If the number is 
the TCP packet, the NAT router performs a general TCP packet 
processing by using a TCP translation table (S27) . If the number is the 
FTP packet, the NAT router performs an FTP packet processing by 
using an FTP translation table operated independently from the TCP 
translation table (S28). 
pp; 1 DwgNo 1/10 
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Abstract (Basic): KR 2003018445 A 

NOVELTY - An Internet protocol conversion apparatus using parallel 
NAT -PT and Internet protocol conversion method using the same are 
provided to realize a NAT -PT of a small-sized integrated circuit 
using a system on chip technology and to process NAT -PT modules in 
parallel. 

DETAILED DESCRIPTION - A PHY chip (501) checks and processes a 
protocol of a layer 1 and an error of a packet surrounded by an 
electrical signal. A MAC (502) converts a protocol of a layer 2 into a 
protocol of a layer 3 using a signal from the PHY chip. An IP 
multiplexer /demultiplexer (503) distributes a packet from the MAC into 
an empty NAT -PT modules (505,506) and stores a packet of a standby 
state in an IP packet buffer (504). An SIIT (505) performs a header and 
address conversion operation between an IPv4 packet and an IPv6 packet 
using a packet from the IP multiplexer/demultiplexer. A DNS/ FTP ALG 
(506) receives a DNS/ FTP packet from a packet output from the IP 
multiplexer/demultiplexer and sends a DNS query packet to a DNS server 
in order to find an IP address and update a mapping table. A mapping 
table module (507) stores a pole of an IPv4 address necessary for the 
modules (505,506) and stores a mapping table between IPv4 and IPv6 
addresses generated from the modules (505,506). 
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Little Boxes, Big Bite -- An all-in-one security device will let your small 
site run with the big dogs. (Product/Service Evaluation) 

Smith, Hugh 

Network Computing, 61 

March 18, 2004 

DOCUMENT TYPE: Product /Service Evaluation ISSN: 104 6-4 4 68 

LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 4 563 LINE COUNT: 00367 

. . . test plan. First, we outfitted our small-office network with one 

WAN interface and one public IP address . Internally, our small office 
had a local network with private IP addresses and a DMZ for Web, e-mail 
and FTP servers. Our LAN users were configured using DHCP, and the 
security devices provided NAT { Network Address Translation ) for 
both DMZ and LAN traffic. The devices also were responsible for port 
forwarding of . . . 

...us and the outside world, so they had to have firewall features, 
including traffic filtering, NAT and port forwarding. Stateful firewall 
features for preventing DoS (denial-of -service) attacks, like syn... 

...the devices 1 in-stream antivirus functionality-meaning the device scans 
incoming e-mail (and possibly FTP and Web traffic) for viruses. This 
scanning is similar to what your desktop antivirus software... 
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design of the IPv4 address space assumed a single addressing realm 
for the entire Internet. NAT enables anyone to create separate, private 
address realms, with NAT devices serving as the gateways ... using Network 
Address Port Translation (NAPT) , sometimes known as Port Address 
Translation . 

For NAPT, the NAT router must keep track of how the internal 
private addresses map to particular ports on the outward-facing IP 
address. Of course, at any given... 

...active, which would require the router to keep track of all these 
connections {see figure) . 
NAT ADVANTAGES 

NAT succeeds in doing its primary job-saving IP addresses. In many 
circum- stances, it also... want static, globally significant IP addresses. 
Changing ISPs and multihoming are also easier tasks if private IP 
addresses are employed, because only the outward-facing addresses must be 
taken into consideration. However, if two organizations employing 
overlapping private IP addresses merge, at least one of them will have 
to undergo full-scale renumbering. 

NAT has a number of niggling disadvantages that keep vendors on 
their toes correcting for this ... widespread technology. It's tricky, but 
not impossible, to operate globally-visible servers behind a NAT (or 
NAPT) router. In general, connections that initiate on the public side of 
the NAPT device will have difficulty hooking up with services on the 



private network. (One-to-one NAT devices that bind internal addresses 
statically to public addresses will work normally. ) Keep in mind that 
services on the private network may include ... ftp . In general, applications 
that separate out a signaling function from the transport function, as ftp 
does, may 
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March, 2000 
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checked out the PPP (Point-to-Point Protocol) connection info, and 
retrieved the PDX ' s external address . Unfortunately, my luck didn't 
hold: I tried Telneting, surfing, and, finally, pinging on this... 

...told them to am-scray. 

Too bad. I wanted to try out the PDX * s NAT capabilities. Network 
address translation is a protection mechanism that shields your intranet 
from hacking attempts by non-law-abiding citizens of the Internet. Instead 
of accepting multiple internal IP addresses of your HTTP, FTP , or 
Telnet servers, and possibly opening your site to a "spoofing" attack (see 
Newton's Telecom Dictionary 15th ed., page 737), NAT restricts 
connections to only a single " public " address , replacing the "fake" 
address with the real hidden address of that server, so packets can. . . 
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Thomas, Tracy T. 
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WORD COUNT: 1564 LINE COUNT : 00120 

Translation protocol allows a private network to be maintained 
behind a gateway acting as a NAT router. The gateway translates the 
address information of the private node to a globally unique... 

...network. This means that the IP addresses inside the private domain can 
be the reusable private addresses specified by RFC 1918. 

When the first outgoing session is initiated from a private host, the 
host's private address is mapped to a globally unique address by the 
NAT router. This global address is bound so that all sessions originating 
from the private host... 

...sessions from the private network is limited by the number of available 
global addresses. Basic NAT allows a pool of global addresses to be 
shared by devices on a private network. . . 

...address of the private host and the TCP/UDP port of the outgoing packet. 
The private host IP address is translated to the external IP address 

of the NAT router. A table is maintained in the NAT router to keep 
track of sessions from each host in the private network. NAPT allows... 



...number of sessions is limited only by the size of the translation table 
in the NAT router. The address binding in NAPT involves translation from 
the private address and private port to a global address and global 
port. The TCP/UDP port concept... IP address information into the data 
payload of the packet. Examples of such protocols are FTP , in which the 
data session parameters are specified in the data of the control session. . 
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... updates regularly. 

The WebRamp 700S operates either in screening mode, where your users 
have Internet- routable P addresses , or in Network Address 
Translation { NAT ) mode — where they're given private addresses . 

By default, the program blocks all incoming connections to computers 
on your network, but permits... 

...from known 'denial of service attacks. You can open holes in the 
firewall for individual FTP , SMTP, POP3, ONS and HTTP servers on your 
network. It's also easy to block... 

. . .WebRamp 700S 

Price (pounds) 399 (5 users) (pounds) 645 (25 users) 

Pros Web-configuration interface, NAT support, built-in DHCP 

server, optional content filtering, good performance 
Cons Only 10Mbps at present... 
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the header information in the packets and directs them accordingly. 
- The S9500 can run in NAT mode or transparent mode. In NAT mode, 
the following mapping services are available: 

--Mapped IP, where secure IP addresses on an... 

...can be mapped to a set of externally registered IP addresses. 

--Virtual IP, where an external IP address can be mapped to 
multiple internal IP addresses (this is useful when a site has only one 
IP address but needs to allow Internet users to access its internal Web 
Server, ftp server, etc...). 

In transparent mode, the S9500 Security Appliance is invisible to 
networks and requires... 
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addresses automatically. 

The SonicWall operates either in screening mode, where your users all 
have Internet- routable IP addresses , or in network - address - 
translation ( NAT ) mode, where your users all get private addresses . 
In screening mode, telecommuters can log in through the firewall; the 
more-secure NAT mode prohibits telecommuter access and requires only a 
single Internet- routable IP address .. 

By default, the SonicWall blocks all incoming connections to computers 
on your LAN but permits. . . 

...protection enhancements become available. You can also optionally open 
holes in the firewall for individual FTP , SMTP, POP3, DNS, and HTTP 
servers on your LAN. A dynamic port-configuration option lets... 
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delivery. 

Many firewalls change the source address of all outgoing IP datagrams 
to their single external IP address . The firewall or router may be 
configured to change the source address to one of... 

...valid IP network number from which the externally visible firewall 
address will be taken. With NAT , relatively few "real" addresses can 
represent a much larger number of hidden, internal addresses . 

In addition to substituting a different source IP address for outbound 
traffic and a different destination address for incoming traffic, the 
router or firewall doing NAT must recalculate and rewrite the 16-bit 
frame check fields of both the TCP and the IP headers of each IP datagram. 
NAT has other exotic implications for the headers written by FTP and 
ICMP (Internet Control Message Program), but they're now well-understood 
and handled readily. . . 
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Language: English Record Type: Fulltext 
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... AFS 2000 , s application-level proxy firewall supports secure use of 

the World Wide Web, FTP , Telnet, e-mail, News, and Gopher. The AFS 2000' s 
firewall performs automatic network address translation from private 

IP addresses to a single public IP address . Access control, as well 
as reporting, are managed through the AFS 2000 's easy-to. . . 

. . .with all popular SMTP/POP3 clients such as Microsoft Exchange, Eudora, 
Netscape Navigator, OnNet from FTP Software, Inc., and NetManage, Inc. 's 
Chameleon. User E-mail accounts can be easily set... 
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... so that security threats from the Internet can be analyzed 

A firewall can conceal the private IP address of your 
workstation from prying eyes on the Internet. This is called network 
address translation ( NAT ) . In the example shown in Figure 2, the 
public Internet address of the corporate firewall is 67.243.12.80. 
Workstations on the private network all use the 10.0.0.0 private address 
space. Someone trying to probe the port of a workstation from the Internet 
would not . . . 

...rules different from the rest of the company network. For example, the 
firewall may allow FTP across a DMZ to an FTP server, but it might not 
allow any workstations to use FTP. 

Administrators can configure firewalls... 
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... AFS 2000' s application-level proxy firewall supports secure use of 

the World Wide Web, FTP , Telnet, e-mail, News, and Gopher. The AFS 2000' s 
firewall performs automatic network address translation from private 

IP addresses to a single public IP address . Access control, as well 
as reporting, are managed through the AFS 2000 f s easy-to... 

. . .with all popular SMTP/POP3 clients such as Microsoft Exchange, Eudora, 
Netscape Navigator, OnNet from FTP Software, Inc., and NetManage, Inc. 's 
Chameleon. User E-mail accounts can be easily set... 
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Language: English Record Type: Fulltext 
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... concurrent connections, more than sufficient to meet Happy 

Pharmaceuticals' requirements, now and in the future. 
Network Address Translation 
The advanced network address translation ( NAT ) capability of 
FireWall-1 supports all applications and services, including H.323 
applications. In addition, NAT works seamlessly with the virtual private 
networking (VPN) capability of Check Point VPN solutions. For... 

...host uses an illegal IP address. Additionally, throughput performance is 
not significantly degraded when deploying NAT . 

There are two modes of operation for NAT : dynamic mode and static 
mode. Dynamic NAT provides users access to the Internet while conserving 
registered IP addresses and hiding the actual... 

...uses a single IP address to hide all internal network resources. An 
unlimited number of internal IP addresses can be mapped to a single 
public IP address . Since the IP address used in dynamic mode is used 
only for outbound communication and. . . 

...requirement and provides a one-to-one assignment between the published 
IP address and the internal IP address . Static mode would typically be 
implemented when administrators did not wish to expose the real... 
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Server is an application proxy Firewall and includes built-in 
proxies for the required applications ( FTP and HTTP) . Configuring the 
Firewall for these applications is simply a matter of enabling the... 

. . .configured proxies. 

The BorderWare Firewall Server also includes built-in proxies for 
other common applications ( FTP , PopMail, NNTP Real Audio etc). For 
user-developed applications the BorderWare Firewall Server includes a... 

...proxy. The user-definable proxy can be customised to support any TCP or 
UDP application. 

Network Address Translation 
The BorderWare Firewall Server includes Network Address 
Translation ( NAT ) as standard. In addition (as discussed in the 
Integrated Services section of this response) BorderWare provides a Dual 
DNS ensuring that the internal and external address spaces are 
separated not only at the network level, but are also maintained in 
separate . . . 
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... is difficult enough without adding another layer of complexity. 

Keep in mind that when using NAT ( Network Address Translation ) , you 
will run into similar complexities when attempting to diagnose problems, 
since the packet header ... base of operation for completely undermining the 
integrity of the firewall. 

All seven products performed NAT , which hides the addresses of all 
devices initiating connections from inside your network by converting their 
source address to the firewall's external address . This is a necessity 
if you change ISPs and don't own your own address... 

...you want to allow outside access to servers inside your network, you can 
provide additional external addresses that are directly mapped to the 
corresponding internal address . 

A firewall is an obvious place to set up VPNs. All the firewalls we 
tested. . . 

...its stateful inspection capabilities approach those of a proxy firewall. 
For example, in addition to NAT , it offers user authentication and 
defends against SYN and packet-fragmentation attacks. FTP restrictions 
can be implemented based on "put" and "get" commands as well as file names 
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...TEXT: so that security threats from the Internet can be analyzed 

A firewall can conceal the private IP address of your workstation from 

prying eyes on the Internet. This is called network address 
translation ( NAT ) . In the example shown in Figure 2, the public 
Internet address of the corporate firewall is 67.243.12.80. Workstations 

on the private network all use the 10.0.0.0 private address space. 

Someone trying to probe the port of a workstation from the Internet would 

not . . . 

... rules different from the rest of the company network. For example, the 
firewall may allow FTP across a DMZ to an FTP server, but it might not 
allow any workstations to use FTP. 
Administrators can configure firewalls... 
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Ask Dr. Intranet 

Blass, Steve 
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WORD COUNT: 227 

TEXT: We want to set up an FTP server for our network of 15 PCs. We had 
dynamic IP addresses in our Cisco. . . 

...IP addresses to your internal network using DHCP configuration. Give the 
FTP server a fixed private IP address in your network and map requests 
for your fixed public FTP address to the internal address using 
network address translation ( NAT ) . Establish a NAT entry in the 

Cisco 678 using the "set nat ..." commands of the Cisco Broadband 
Operating System. Enable NAT with the "set nat enable" command. Then 
establish the NAT mapping foi your FTP server using the "set nat entry 
add internal-IP internal-PORT external-IP externalPORT tcp." A link to a 
configuration... 
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...TEXT: that separates public-facing machines such as Web servers, Simple 
Mail Transfer Protocol servers and file transfer protocol servers 
from the private corporate LAN. Any connections between these servers and 
the internal LAN. . . 

. . . inside the firewall from being attacked from the public servers if they 
are ever compromised. 

NAT : Network Address Translation is a service that lets you 

simplify an internal network by making external machines appear to have 

internal IP addresses . By translating an external IP address to an 
internal one, there's no need to reconfigure the external machines. LINKS: 

www . . . 

... posted at Infowar.com Ltd.'s InfoSec and InfoWar Portal Web site. 
www.dalantech.com/ nat . shtml : For more on NAT , see " Network Address 
Translation for Beginners" on the Da LAN Tech Web site. This site, 
dedicated to network news . . . 
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...TEXT: http://www. gta.com). These products are based on RFC 1631, an 
IETF standard for network address translation ; by contrast, most 

firewalls that claim NAT capabilities merely map addresses to 
highnumbered ports on the firewall, which limits the number of connections 
possible and introduces complications for protocols such as FTP . Both of 
these products are capable of retaining stateful information about 



ordinarily stateless protocols such as FTP for security purposes; the 
GNAT Box, however, is a full-fledged firewall while the Cisco product is 
specifically for NAT purposes, designed to be used in combination with 
other security solutions. 

When a NAT gateway receives a packet from an internal computer, it 
extracts the source address and compares it to an internal translation 
table. If the computer's internal address isn't there, a new 

translation is created. From then on, the source address of... • 

. . . checksums on the packet can be quickly updated without complete 
recalculation since the difference between internal and external 
addresses is known . 

By contrast to a proxy solution, using a NAT gateway requires some 
calculation as to the maximum number of internal hosts likely to connect... 

...have developed heuristics to aid in this process. With a proxy, there is 
only one external IP address which can handle as many connections as 
the processing power of the gateway computer permits... 
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...TEXT: and its reporting and management tools met our requirements. 

All the products we tested completed network address translation ( 
NAT ) tests performed by using Hypertext Transfer Protocol (HTTP), file 
transfer protocol ( FTP ) and Post Office Protocol-3 (POP-3) . An 

example of such a test would be... 

another machine and impersonate IP addresses, we recommend a 
challenge/response whenever possible. 

We used NAT when we left the protected network area. We verified that 
private IP addresses were translated into public addresses by 
analyzing the access logs on the World Wide Web server and FTP' server to 
verify that only the translated address was captured. 
Preparation counts 

The greatest challenges... 



6/3,K/20 (Item 1 from file: 647) 

DIALOG (R) File 647: CMP Computer Fulltext 
(c) 2004 CMP Media, LLC. All rts. reserv. 



01274242 CMP ACCESSION NUMBER: NWC2004 0318S0021 

Little Boxes, Big Bite - An all-in-one security device will let your* small 
site run with the big dogs 

Hugh Smith with Scott Thomas and the CalPoly NetPRL Testing Team 
NETWORK COMPUTING, 2004, n 1505, .PG61 
PUBLICATION DATE: 040318 

JOURNAL CODE: NWC LANGUAGE: English 

RECORD TYPE: Fulltext 
SECTION HEADING: Review 
WORD COUNT: 4 234 

... test plan. First, we outfitted our small-office network with one 



WAN interface and one public IP address . Internally, our small office 
had a local network with private IP addresses and a DMZ for Web, 
e-mail and FTP servers. Our LAN users were configured using DHCP, and 
the security devices provided NAT { Network Address Translation ) 
for both DMZ and LAN traffic. The devices also were responsible for port 
forwarding of . . . 

...us and the outside world, so they had to have firewall features, 
including traffic filtering, NAT and port forwarding. Stateful firewall 
features for preventing DoS (denial-of- service) attacks, like syn... 

...the devices' in-stream antivirus functionality-meaning the device scans 
incoming e-mail (and possibly FTP and Web traffic) for viruses. This 
scanning is similar to what your desktop antivirus software... 
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Translation protocol allows a private network to be maintained 
behind a gateway acting as a NAT router. The gateway translates the 
address information of the private node to a globally unique... 

...network. This means that the IP addresses inside the private domain can 
be the reusable private addresses specified by RFC 1918. 

When the first outgoing session is initiated from a private host, 
the host's private address is mapped to a globally unique address by 
the NAT router. This global address is bound so that all sessions 
originating from the private host... 

...sessions from the private network is limited by the number of available 
global addresses. Basic NAT allows a pool of global addresses to be 
shared by devices on a private network. . . 

...address of the private host and the TCP /UDP port of the outgoing 
packet. The private host IP address is translated to the external IP 

address of the NAT router. A table is maintained in the NAT router 
to keep track of sessions from each host in the private network. NAPT 
allows . . . 

...number of sessions is limited only by the size of the translation table 
in the NAT router. The address binding in NAPT involves translation from 
the private address and private port to a global address and global 
port. The TCP/UDP port concept... IP address information into the data 
payload of the packet. Examples of such protocols are FTP , in which the 
data session parameters are specified in the data of the control session 
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... is difficult enough without adding another layer of complexity. 

Keep in mind that when using NAT ( Network Address Translation ) , 
you will run into similar complexities when attempting to diagnose 
problems, since the packet header ... base of operation for completely 
undermining the integrity of the firewall. 

All seven products performed NAT , which hides the addresses of all 
devices initiating connections from inside your network by converting 
their source address to the firewall's external address . This is a 
necessity if you change ISPs and don't own your own address... 

...you want to allow outside access to servers inside your network, you 
can provide additional external addresses that are directly mapped to 
the corresponding internal address . 

A firewall is an obvious place to set up VPNs. All the firewalls we 
tested. . . 

...its stateful inspection capabilities approach those of a proxy 
firewall. For example, in addition to NAT , it offers user authentication 
and defends against SYN and packet-fragmentation attacks. FTP 
restrictions can be implemented based on "put" and "get" commands as well 
as file names . . . 
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Can we talk? VoIP's firewall challenges 
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Text : 

... the problems with VoIP and firewalls is that VoIP doesn't really work 
well with network address translation ( NAT ) (sharing one external 

IP address among many internal computers) . NAT is typically performed 
by the enterprise firewall, so a further tension exists between those 
trying ... 

... new voice-aware firewalls that can perform protocol "patches" needed to 
make VoIP work with NAT . There are two ways to adopt this approach: 
Discard the existing firewall and replace it... 

... process incoming and outgoing voice streams. In this approach, the 
application gateway can see both internal NAT address space as well 
as the global address space and can "patch" VoIP protocol fields as... 
... It is similar to the way enterprises cope with security issues involved 
with e-mail, FTP , DNS and other applications that cross from the inside 
to the outside world. The overall... 
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Text : 

. . . that separates public-facing machines such as- Web servers, Simple Mail 
Transfer Protocol servers and file transfer protocol servers from the 
private corporate LAN. Any connections between these servers and the 
internal LAN. . . 

. . . inside the firewall from being attacked from the public servers if they 
are ever compromised. NAT : Network Address Translation is a service 
that lets you simplify an internal network by making external machines 
appear to have internal IP addresses . By translating an external IP 
address to an internal one, there's no need to reconfigure the external 
machines, www . inf owar . . . 

... posted at Infowar.com Ltd. f s InfoSec and InfoWar Portal Web site. 
www.dalantech.com/ nat . shtml : For more on NAT , see " Network Address 
Translation for Beginners" on the Da LAN Tech Web site. This site, 
dedicated to network news. . . 
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Text : 

...and its reporting and management tools met our requirements. 

All the products we tested completed network address translation 
( NAT ) tests performed by using Hypertext Transfer Protocol (HTTP) , file 
transfer protocol ( FTP ) and Post Office Protocol-3 (POP-3) . An 

example of such a test would be . . . 

. . . another machine and impersonate IP addresses, we recommend a 
challenge/response whenever possible. 

We used NAT when we left the protected networkarea. We verified that 
private IP addresses were translated into public addresses by 
analyzing the access logs on the World Wide Web server and FTP server to 
verify thatonly the translated address was captured. 

Preparation counts 

The greatest challenges for. . . 
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...stores, but in all of our 
stores as the visitors return home with their 'once in a lifetime' 
memories, " Adler commented. 

Adler concluded, "It is always gratifying to report record 
earnings , particularly when they are so much stronger than the 
previous record . If current trends continue, the last six months of 
the year will be the strongest... 
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Sponsor: CSREA; ITI; KSII; WAS 
E.I. Conference No.: 62584 

Source: Proceedings of the International Conference on Internet Computing 
v 2 2003. 

Publication Year: 2003 
Language: English 

Document Type: CA; (Conference Article) Treatment: T; (Theoretical) 
Journal Announcement: 0404W3 

Abstract: This paper describes implementation of NAT -PT/SIIT ( Network 
Address Translation - Protocol Translation) and some ALGs (Application 



Level Gateway) . We named this project as 6 TALK (IPv6 TrAnsLator of Krv6) . 
6 TALK implemented NAT -PT/SIIT, DSTM (Dual Stack Transition Mechanism), 
DNS-ALG and FTP -ALG. Those mechanisms we implemented are transition 
mechanisms which let IPv4 migrate to IPv6 smoothly. 6TALK provides several 
functions which enable IPv6 node at the edge of existing network to 
communicate with IPv4 node by using these transition mechanisms. 
Transition mechanism like NAT -F uses IPv4/IPv6 header translation 
algorithm (SIIT) . So, if we want to run some application which has IP 
address in its application protocol payload correctly we must have a 
specific ALG for that application. FTP and DNS are typical examples . that 
have IP address in its payload. 6 TALK has ALGs for FTP and DNS now. As 
implementation environment we adopt netfilter framework in Linux 
kernel-2 . 4 . 18 . Netfilter framework is a new packet filtering mechanism 
introduced in kernel-2 . 4 . 18 . So, we made use of netfilter framework to 
implement NAT -PT/SIIT. Since the main idea of NAT -PT comes from NAT 
our major interest in performance is relative performance compared by 
NATv4 . We expected that the performance of NAT -PT would be worse than 
NATv4, but the difference of performance between NAT -PT and NATv4 was 
not much. 11 Refs. 

Descriptors: *Data communication systems; Network protocols; Gateways 
(computer networks); Routers; Packet switching; Internet 

Identifiers: Performance analysis; Network address translation ; 
Protocol translation; Application level gateway; Dual stack transition 
mechanism 
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Title: On the implementation of a firewall based on Linux platform 

Author: Fan, Xunli; Jing, Guangjun 

Corporate Source: Dept. of Comp. Sci . and Technol . Nanjing Univ., Nanjing 
210093, China 

Source: Xibei Gongye Daxue Xuebao/ Journal of Northwestern Polytechnical 
University v 20 n 3 August 2002. p 387-391 
Publication Year: 2002 
CODEN: XGDUE2 ISSN: 1000-2758 
Language: Chinese 

Document Type: JA; (Journal Article) Treatment: A; (Applications); T; 
(Theoretical) ; X; (Experimental) 
Journal Announcement: 0211W1 

Abstract: This paper presents a firewall system based on Linux - 
L-Firewall, which combines packet filter and proxy technology. Proxy and 
authentication are implemented on Bl level operating system. The paper 
emphasizes on the L-Firewall frame, especially on the implementation of 
packet filter module. L-Firewall provides not only HTTP, FTP proxy and 
packet filter, but also content filter, network address translation 
to protect network from IP spoofing and IP source route spoofing. 
L-Firewall tallies with GB/T17 900-1999 and GB/T18020-1999 . 3 Refs. 

Descriptors: ^Computer system firewalls; Security systems; Computer 
operating systems; Computer networks; Wave filters; Protection 

Identifiers: Linux platform; Packet filter model; Proxy; Bl level 
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Language: English . Document Type: Journal Paper (JP) 

Treatment: Practical (P) 

Abstract: Call them Swiss Army knives for your remote sites. All-in-one 
gateways are becoming all the rage for broadband SOHO and branch locations 
as combination LAN and WAN interconnect appliances. Smaller than bread 
boxes, AIOs act as hubs or switches that interconnect devices in a small 
office and route you to a WAN or the Internet. Most come with standard 
Ethernet 10/100Base-T ports and a wireless access point for sharing 
resources ranging from computers and PDAs to print servers and storage 
systems. And by routing traffic through your DSL or cable modem, they share 
the external connection with the devices on the LAN, using a DHCP 
server/client and NAT ( network address translation ) . If your ISP 
requires authentication, you can use the AIOs 1 PPPoE ( Point-to-Point 
Protocol over Ethernet) feature. They also support secure VPN connections 
and provide a packet-filtering firewall function. But you get what you pay 
for with these devices, which cost anywhere from $50 to $1,000. High-end 
AIO appliances, such as EmergeCore Networks 1 IT-100, .come with more 
advanced features such as e-mail, file and print sharing, and FTP and 
HTTP services. You can also buy add-on services with antivirus, 
content-filtering and traffic-shaping features. Although AIOs come with 
basic log files, not even the high-end AIOs include advanced diagnostics 
and management, so troubleshooting can be tricky. 

Subfile: D 

Descriptors: broadband networks; client-server systems; internetworking; 
local area networks; network servers; protocols; wide area networks 

Identifiers: all-in-one gateway; broadband SOHO; LAN interconnect 
appliance; WAN interconnect appliance; Internet; Ethernet 10/100Base-T port 
; wireless access point; resource sharing; print server; storage system; 
DHCP client server; network address translation ; point-to-point 
protocol over Ethernet; VPN connection; packet-filtering firewall 

Class Codes: D5020 (Computer networks and intercomputer communications 
in office automation) 

Copyright 2004, IEE 
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Author(s): Xiaoyu Zhao; Yan Ma 

Author Affiliation: Network Information Center, Beijing Univ. of Posts & 
Telecommun., China 

Conference Title: 2001 International Conferences on Info-Tech and 
Info-Net. Proceedings (Cat. No.01EX479) Part vol.5 p. 258-63 vol.5 
Editor (s) : Zhong, Y.X.; Cui, S.; Wang, Y. 
Publisher: IEEE, Piscataway, NJ, USA 

Publication Date: 2001 Country of Publication: USA 6 
vol. (391+853+567+410+350+178) pp. 

ISBN: 0 7803 7010 4 Material Identity Number: XX-2002-00255 

U.S. Copyright Clearance Center Code: 0-7803-7010-4 /01/$10 . 00 

Conference Title: 2001 International Conferences on Info-tech and 



Info-net. Proceedings 

Conference Sponsor: China Assoc. Sci. & Technol . (CAST) ; Chinese Inst. 
Electron. (CIE) ; IEEE Beijing Sect./ IEE Beijing Center; ATM Forum; Beijing 
Internet Inst.; IEEE Commun . Soc; IEEE Comput . Soc; IEEE Control Soc; 
Global Inf. Infrastructure Commission (GIIC) ; World Federation of Eng. 
Organ. (WFEO) ; IFIP; Internet Eng. Task Force (IETF); Int. Council of 
Comput. Commun. (ICCC) 

Conference Date: 29 Oct.-l Nov. 2001 Conference Location: Beijing, 
China 

Language: English Document Type: Conference Paper (PA) 
Treatment: Practical (P) 

Abstract: NAT -PT is a scheme dedicated to serve the pure IPv4 host to 
communicate with the pure IPv6 host during the transition period of the 
Internet. We have implemented a full-functional NAT -PT gateway software 
based on RFC2765 and RFC2766, and some key upper-layer protocols such as 
HTTP, FTP and TELNET have been tested on it. We have also adopted several 
techniques in the gateway software implementation to get better performance 
and security. (20 Refs) 

Subfile: B C 

Descriptors: Internet; network operating systems; security of data; 
telecommunication security; transport protocols; Unix 

Identifiers: NAT -PT gateway; IPv4 host; IPv6 host; Internet; RFC2765; 
RFC2766; protocols; HTTP; Linux; FTP ; TELNET; gateway software; 
performance; data security; Network Address Translation 

Class Codes: B6210L (Computer communications); B6150M (Protocols); C6150N 
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Journal: Computer Communication Review vol.23, no.l p. 16-33 
Publication Date: Jan. 1993 Country of Publication: USA 
CODEN: CCRED2 ISSN: 0146-4833 

Language: English Document Type: Journal Paper (JP) 
Treatment: Applications (A); Practical (P) 

Abstract: The two most compelling problems facing the IP Internet are IP 
address depletion and scaling in routing. The paper discusses the 
characteristics of one of the proposed solutions, to place Network 
Address Translators ( Nat ) at the borders of stub domains. Each Nat 

box has a small pool of globally unique IP addresses dynamically 
assigned to IP flows going through Nat . The dynamic assignment is 
coordinated with Domain Name Server operation. The IP addresses inside 
the stub domain are reused in other domains, thus solving the address 
depletion problem. The pool of IP addresses in Nat is from a subnet 
administered by the regional backbone, thus solving the scaling problem. 
Nat can be installed without changes to any existing systems, although 
FTP will fail in some but not all instances. This paper presents a 
preliminary design for Nat , and discusses its merits and drawbacks. (7 
Refs) 
Subfile: B C 

Descriptors: internetworking; network servers; telecommunication network 
routing 
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Building security by making holes 

Bradner, Scott 

Network World , January 13, 2003 , v20 n2 pl8, 1 Page(s) 
ISSN: 0887-7661 

Company Name : VanDyke Software 
Languages : English 

Document Type: Articles, News & Columns 
Geographic Location: United States 

Presents a list given by VanDyke Software on what should be eliminated 
in order to ensure enterprise network security. Indicates that these 
include: non-NT versions of Windows; password authentication; Telnet; 
Cleartext logon to any root or * administrator account; FTP ( file 

transfer protocol ) ; failure to provide end-user training in basic 

security policy and procedures; IT departments fighting against the 
proliferation of wireless network access points; and government studies on 
how to secure the Internet. Declares that the list is a good start, but a 
few things can be added such as: firewalls, because they just get people 
thinking that they do not have to practice good security hygiene; any 
network address translator that was installed for security reasons; 

and the Digital Millennium Copyright Act. (EPE) 

Descriptors: Security; Network Security; Network Management; Security 
Measures; Wireless Networking; Online Services; Online Systems 

Identifiers: VanDyke Software 
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3Com Corp. 3Com Home Wireless Gateway 

Molta, Dave 

Network Computing , October 29, 2001 , vl2 n22 p54, 66, 2 Page(s) 

ISSN: 1046-4468 

Company Name: 3Com 

URL: http: //www. 3com. com 

Product Name: 3Com Home Wireless Gateway 

Languages: English 

Document Type: Hardware Review 

Grade (of Product Reviewed) : C 

Geographic Location: United States 

Presents a mixed review of 3Com Home Wireless Gateway ($299), small 
office/home office (SOHO) wireless gateway from 3Com (408, 800) . Explains 
that it integrates traditional Network Address. Translation ( NAT ) 
routing capabilities with an 802.11b wireless access point. Cites excellent 
diagnostic . capabilities, ability to restrict access to services by time of 
day, Web interface, wide area network (WAN) cable/DSL port, and WiFi 
compatibility. Mentions, however, that only electronic mail, Web, File 

Transfer Protocol ( FTP ), Network News Transfer Protocol (NNTP) , and 

telnet can be blocked and it does not provide port-forwarding capabilities 
or support for Demilitarized Zone (DMZ) hosts. Concludes that it is a good 
solution to SOHO networking. On a scale ranging from 0 to 5, received the 
rating of 3.10. Includes a table. (MEM) 

Descriptors: Wireless Communication; Gateway; Wireless Networking; 

Broadband Communication; Small Business; Home Office; Internet Access 
Identifiers: 3Com Home Wireless Gateway; 3Com 
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Firewalls — Netscreen-100 

Morrissey, Peter 

Network Computing , November 15, 1998 , v9 n21 p88-90, 2 Page(s) 
ISSN: 1046-4468 

Company Name: NetScreen Technologies 
URL: http: //www . netscreen . com 
Product Name: NetScreen-100 
Languages: English 
Document Type: Software Review 
Grade, (of Product Reviewed) : B 
Geographic Location: United States 

Presents a favorable review of the NetScreen-100 ($7,995) from NetScreen 
Technologies of CA (800, 408) . States that it is based on a proprietary 
operating system and uses proprietary ASICs to provide a cost-efficient and 
easy to install firewall which requires only the assigning of IP addresses 
to the interfaces via a serial connection. Appreciates that its excellent 
performance was not negatively impacted once its NAT ( network address 

translation ) function was run. Likes that it can pass packets through 
without routing them. Expresses concern for "its weak network access 
controls, adding that even its ability to perform URL and FTP filtering 
does not make it much more than a simple packet filtering device. (CAT) 

Descriptors: Firewalls; Privacy; Security; TCP/IP 
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Firewalls — Cisco PIX Firewall 520 

Morrissey, Peter 

Network Computing , November 15, 1998 , v9 n21 p88, 1 Page(s) 

ISSN: 1046-4468 

Company Name: Cisco Systems 

URL: http://www.cisco.com 

Product Name: Cisco PIX Firewall 520 

Languages: English 

Document Type: Software Review 

Grade (of Product Reviewed) : B 

Geographic Location: United States 

Presents a favorable review of the Cisco PIX Firewall 520 ($9,000) from 
Cisco Systems of CA (800, 408) . States that its performance was the best of 
all the units tested, adding that even the enabling of NAT ( network 

address translation ) did not negatively impact it . Expresses concern 

for its inability to regulate FTP puts and gets even though it can block 
potentially harmful SMTP commands. Reports that testers found setting up 
more than very simple security policies involving access based on services, 
hosts, and networks a very awkward process. Cautions that the updating of 
current security policies to new rules requires the removal of all original 
rules prior to the entry of the new and unchanged ones. Expresses 
disappointment at its management application which requires that an NT 
Server be dedicated to run the software before users on the Web can access 
it. Labels its logging and monitoring weak. (CAT) 

Descriptors: Firewalls; Privacy; Security 
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McClure, Stuart 
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Company Name: CyberGuard 



URL: http: //www. cyberguard. com 
Product Name: CyberGuard for NT 4.1 
Languages: English 
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Presents a mixed review of CyberGuard for NT 4.1 ($1,495 for 25 users, 
$9,995 for unlimited users) from CyberGuard Corp. of Ft. Lauderdale, FL 
(800, 954). Notes that CyberGuard is simple to set up and utilize as soon 
as it has been installed but cautions that users do not have complete 
access to the firewall. Praises its inclusion of NT hardening products for 
disabling blank passwords, restricting file-system access to the users 
group, and eliminating all hidden shares except interprocess 
communications. Points out CyberGuard ! s compliance with NAT ( network 
address translation ) and ICMP (Internet Control Message Protocol) 

protocols, along with its granular FTP control of some functions. 
Cautions about its lack of logging facility and warns that its load 
balancing is suitable at best. Concludes that even if flawed, CyberGuard is 
potentially a solid firewall for NT users. Includes one scorecard. (CAT) 
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TITLE: Still Fired Up: Three years later, Axent's Raptor Firewall still... 

AUTHOR: Schultz, Keith 

SOURCE: InternetWeek, v827 p34(l) Sep 4, 2000 
ISSN: 0746-8121 

HOMEPAGE: http: //www. internetwk. com 

RECORD TYPE: Review 
REVIEW TYPE: Review 
GRADE: A 

AXENT Technologies' Raptor Firewall 6.5 with Power VPN, the latest upgrade 
to the product, is still one of the best application filtering firewalls on 
the market. One advantage of Raptor for Windows NT is the ability to 
include the Power VPN service. Power VPN (virtual private network) is also 
available separately and uses Proxy/Secured technology to scan all incoming 
and outgoing traffic. Users can therefore apply rules and proxies to VPN 
traffic, just as they do to regular traffic. Thus, secure, dependable 
communications are possible among customers and partners without installing 
a wide- open tunnel. Raptor Firewall 6.5 with PowerVPN supports Lightweight 
Directory Access Protocol (LDAP) , bi-directional Network Address 
Translation ( NAT ), and a savvy management console. AXENT also plans 
versions for Windows 2000, Tru64 UNIX, Solaris, and HP-UX. Raptor ships 
with predefined proxies for widely used services, including Hypertext 
Transfer Protocol (HTTP), ftp , Simple Mail Transfer Protocol (SMTP), 
Network News Transfer Protocol (NNTP) , and NTP. Raptor also provides a 
proxy service called Generic Service Passes, which is a proxy filter that 
helps provide secure, managed access for new or legacy IP services on 
nonstandard support. Raptor Management Console is a customized release of 
Microsoft Management Console, and Raptor Firewall 6.5 also works with 
RADIUS, TACACS, and NT user domains, as well as an LDAP directory. 
Bidirectional NAT , which is one of the best features in Raptor Firewall 
6.5, allows users to create a list of addresses to make incoming and 
outgoing traffic seem to originate from a predetermined address . 

PRICE: $8995 



COMPANY NAME: Symantec Corp (38 6251) 



SPECIAL FEATURE: Charts Screen Layouts 

DESCRIPTORS: Computer Security; Firewalls; IBM PC & Compatibles; Internet 
Security; Internetworking; Intranets; Network Administration; Network 
Software; System Monitoring; Windows NT/2000 

REVISION DATE: 20020630 
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SOURCE: InfoWorld, v22 nl2 p41(l) Mar 20, 2000 
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RECORD TYPE: Review 
REVIEW TYPE: Review 
GRADE: A 

AXENT Technologies' Axent PowerVPN 6.5 is the latest version of AXENT ' s 
solution to implementing virtual private networks. PowerVPN 6.5 received 
excellent marks for ease of use, flexibility, and compliance with Computer 
Security Association (ICSA) and Internet Protocol Security (IPSec) 
interoperability standards. PowerVPN sits at the application level and 
works as a proxy server. Its three primary components are PowerVPN server, 
RaptorMobile VPN, and Raptor Firewall. PowerVPN 6.5 has proxies for HTTP, 
HTTPS, FTP , Telnet, NNTP (Network News Transfer Protocol), ICMP (Internet 
Control Message Protocol), and NTP (Network Time Protocol), and it also 
supports SQLNet, NetBIOS, RealAudio, and AOL Instant Messenger. Entrust 
certificates, RADIUS (Remote Authentication Dial-In User Service), LDAP, 
userlD/password, and other authentication options are included, but 
PowerVPN currently only supports Entrust certificates. Full Network 
Address Translation ( NAT ) support allows administrators to hide IP 
data from view, which is important for encrypted packets that need IP 
address payload modification. PowerVPN 6.5's important RaptorMobile client 
is much easier to install than in previous versions and can be configured 
to block traffic to specific ports. In testing, installation of PowerVPN 
6.5 took roughly 15 minutes, and configuration took about an hour. PowerVPN 
lacks X.509v3 support and is only available for Windows clients. 

PRICE: $1995 

COMPANY NAME: Symantec Corp (38 6251) 
SPECIAL FEATURE: Charts 

DESCRIPTORS: Computer Security; IBM PC & Compatibles; Internet Security;. 
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AUTHOR: Cernick, Paul 

SOURCE: Network Computing, vlO nl2 p38-(2) Jun 14, 1999 
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HOMEPAGE : http : //www . NetworkComputing . com 

RECORD TYPE: Review 
REVIEW TYPE: Review 
GRADE : A 

FreeGate's OneGate 1000 beta Internet appliance is an all-in-one 
multiservice Internet gateway that includes an IP router, support for DNS, 
DHCP, and Network Address Translation ( NAT ); and a Web server, a 
firewall, e-mail, an FTP server, and virtual private network (VPN) 
support. OneGate 1000 also has an intuitive user interface that simplifies 
configuration and cuts down on administrative overhead. The configuration 
interface is helpful, but it does not eliminate additional configuration 
for complex network functions. However, OneGate 1000 is a step in the right 
direction to make Internet technology accessible and affordable, one 
example being that it can be configured as a remote-access VPN as a 
software license add-on. In addition to remote-access VPN, a 
branch-to-branch VPN can be configured with two OneGate 1000s, which 
creates a secure tunnel between sites using IP Security, Triple DES, and MD 
5 technology, and is configurable depending on geographic location. Both 
VPN-based solutions will only support IP. The good documentation expedited 
troubleshooting OneGate 1000, and the online diagnostic tools were detailed 
enough to fix a host of problems. Upgrading hard drives is easy, as is 
adding memory, and buying a completely new box as a company's technology 
grows in unnecessary. 
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...SPECIFICATION outer header of the packets (the IPv4 address in the inner 
header remains unchanged) , the NAT according to the present embodiment 
also reflects the translation at the level of the inner header. 

As illustrated by figure 1, according to the present embodiment, the 
NAT is assisted by an "Application Level Gateway 1 ' for the specific 
processing required for the 6to4 . . . 

...realm. In the present example, the ALG is integrated into the router, 
along with the NAT . 

The 6to4 ALG operates on packets sent by applications running over the 
6to4 protocol. It... 

...detected packets, carries out the following processing: 

(a) In the inner IPv6 header, replace the private IPv4 address 
( ' V4 ADDR 1 ) of the 6to4 prefix with the public IPv4 address for 
outgoing packets and vice versa . for incoming packets. 

(b) Update fields depending on the... 

...any upper layer fields embedding the 6to4 prefix, such as it is the case 
in FTP (e.g. the whole prefix has to be replaced in the payload of an 
FTP packet (EPTR field)). 

The coherence between the inner and the outer header is then restored 

...incorrect packet delivery, in particular a response packet to a 6to4 
packet going through a NAT functionality. The responding host, e.g. 
when Host 3 of figure 1 responds to Host 1, Router 2 will use the public 

IPv4 address in the modified 6to4 prefix to generate an IPv4 
destination address for Host3 response packet... 



.associating inbound and outbound traffic packets. The 6to4 ALG carries 
out the following processing. The NAT ALG maintains a list for mapping 
6to4 destination addresses of inbound packets to the correct private 
6to4 host address for packets returned by a remote host. It picks up a 
'multiplexing identifier' from the... 
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.ABSTRACT typical environment the hosts and servers of an internal 
network access the Internet via a NAT Router. The configuration of the 
external address , external port, and external protocol code of an 
internal server as well as the internal address , internal port, and 
internal protocol code of the internal server on the NAT Router, and 
the establishment of a mapping table relating to the internal server 
according to the configured parameters, enables external hosts to access 
the internal server through the valid public IP address of the 
internal network and the port providing exterior services of the internal 
server . 

According to the present invention, WEB server and FTP server in the 
LAN can be easily provided without occupying too much valid IP addresses, 
thus, the present invention saves limited public IP addresses 
resource. Furthermore, the present invention implements port-level 
support to the internal server, and guarantees... 
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Detailed Description 
. . . outer 

header of the packets (the IPv4 address in the inner header remains 
unchanged) , the NAT according to the present embodiment also reflects 
the translation at the level of the inner header. 

As illustrated by figure 1 , accordin' ent embodiment, the 
g to, the pres 

NAT is assisted by an "Application Level GEiteway* for the specific 
processing 

required for the 6to4 . . . 

...realm. In the present example, the ALG is integrated into the router, 
along with the NAT . 

The 6to4 AILG operates on packets sent by applications running over 
the 6to4 protocol. It... 

...detected packets, carries out the following processing. 

(a) In the inner IM header, replace the private IPv4 address 

( ' V4ADDR 1 ) of the 6to4 prefix with the public IPv4 address for 
outgoing packets and vice versa for incoming packets. 

(b) Update fields depending on the... 

...any upper layer fields embedding the 6to4 prefix, such as it is the case 
in FTP (e.g. the whole prefix has to be replaced in the payload of an 



FTP packet (EPTR field)). 



The coherence between the inner and the outer header is then 
restored. . . 

...incorrect packet delivery, in particular a 

response packet to a 6to4 packet going through a NAT functionality. The 
responding host, e.g. when Host 3 of figure 1 responds to Host 1 , Router 
2 will use the public IPv4 address in the modified 6to4 prefix to 
generate an IPv4 destination address for Host3 response packet... 

...associating inbound and outbound traffic packets. The 6to4 AILG carries 
out the following processing. The NAT ALG maintains a list for mapping 
6to4 destination addresses of inbound packets to the correct private 
6to4 host address for packets returned by a remote host. It picks up a 
Imultiplexing identifier' from the... 
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... and 1 14 for the three IP devices 124, 13 4, and 144 even though NAT 
device 10 1 only has two IP addresses (I 3 5 25. . . .an IP device in the 
other IP address realm. In the example above of traditional NAT or 
outbound NAT , IP devices 124, 134, and/or 144 in IP address realm 114 
established. . . 

...web server running on IP device 122 in IP address realm 112. This 
communication using NAT was outbound from IP address realm 114 that 
comprised private IP addresses 1 OXXX In the traditional NAT 
example described above, the binding or mapping of IP addresses and/or 
ports in NAT device 10 1 was statically assigned or dynamically 
created when a device in IP address realm 114 initiated a session. 
Bi-directional or two-way NAT would allow IP device 122 with an IP 



address in IP address realm 1 12 non-limiting example of bi-directional 
NAT , assume that IP device 122 has the internet-valid, public IP 
address of 192 190 Further assume that IP devices 124, 134, and 144 have 
the private IP addresses of 10 0. 124, 10 0.134, and 10 0. 144, 
respectively. Also, assume that NAT device 10 1 manages the two 
internet-valid IP addresses of 135 25. 1... 0.144 TCP port 21. TCP port 21 
is the well-known TCP port for FTP servers, while TCP port 80 is the 
well-known port for HTTP servers or web. . . 

...addresses is similar to the configuration described above in the example 
for traditional or outbound NAT . Thus, the outbound access described 
above for traditional or outbound NAT will still operate the... 
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... method for working through Network Address Translation (NAT) devices. 

Said problem with Network Address Translation { NAT ) devices, even if 
NAT devices are able to translate addresses of private networks in 
messages to public IP addresses so that the messages can be sent 
through internet, is, however, that currently no standard for making 
Mobile IP work through NAT devices. NAT devices are widely deployed 
because the use of private addresses requires less public IP 
addresses than 
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... been made to share a single network address among multiple computers. 
One we 11 known example is Network Address Translation ( NAT ) , which 
hides an ...external 

network 104 by routing network traffic through the access point. Internal 
networks generally use private network addresses that are not 
routable on the public 
1 

network without translation. During operation, access points... 

...source IP address and ports of outgoing network traffic to map the 

traffic to an external or public address of the access point and a 
unique port. Conversely, the access point translates incoming network 
traffic destination IP address and unique port back to an original 
internal address and port. However, access points ...ports. 

Network traffic translation performed by a translating access point such 
as 1 0 a NAT gateway/router 102, firewall 108, or the like, is 
transparent to many applications. However, such... IP Security (IPSec), 
end-to-end security models not allowing packet header alterations, and 
the File Transfer Protocol (FTP), are all examples of protocols 
that break if used behind translating access points such. . . 
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Detailed Description 

... been made to share a single network address among multiple computers. 
One wellknown example is Network Address Translation (NAT) , which hides 
an internal network behind an access point in communication with... 

...external network by routing network traffic through the access point. 
Since the internal network uses private network addresses the packets 
from this network are not routable in the Internet without translation. 
During operation. . . 

...address and ports of outgoing network traffic to map the traffic to an 
external or public 
1 

address and a unique NAT port. NAT also modifies destination IP 
address and port of incoming network traffic using the mapping of 
external address and unique NAT port back to the original internal 

address and port. NAT ignores network traffic not received in 
response to original outgoing network traffic, and incoming 
traffic to unmapped ports, 

Network traffic translation performed by a translating access point such 
as a NAT gateway/router 102, firewall 108, or the like, is transparent 
to many applications. However, translations... 

...address and/or communication port values as application data within 
network traffic, such as the File Transfer Protocol ( FTP ) , 
multi-player network game protocols, etc. 

For example, in FIG. 1 , ah H.323 client... 
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Detailed Description 

. . . decipher and translate the address 
within the data payload. As a result, 
used in crossing firewall boundaries. 

SUMMARY OF THE INVENTION 
The present invention provides... 

. . .problems and 

disadvantages associated with previous methods and systems. 

In particular, client-side network address translation ( NAT ) 
is performed at the server on encrypted payload addresses, 
using header address information. 

In accordance . . . 

. . .communication packet 

including a header and a data payload. The header may 
include a client external IP address , and the data payload 
may include an encoded port command having a client internal 
IP address and a client data port number. The server may 
also include a codec operable to decode the port command. A 
translation module may be provided for retrieving the client 
external IP address from the header and replacing the client 
internal IP address with the client external IP address . In 
accordance with one embodiment of the present invention, the 
server is operable to establish data channel coordinates 
including the client external IP address , the client data 
port number, a server internal IP address and a server data 
port number. 

In accordance with another aspect of the present 
invention. . . 

Claim 

client over a first channel, 
the dual communication packet including a header having a 
client external IP address and a data payload having an 
encoded port command having a client internal... 

. . . client and 
the server. 

4 The server of Claim 1, further comprising a file 
transfer protocol ( FTP ) communication module wherein the 
communication session between the server and the client over 
the second channel is conducted in secure FTP . 

5 The server of Claim 1, wherein the codec is 



information contained 
secure FTP cannot be 



operable to decode based on. 



...server over a first channel, 

the dual communication packet including a header having a 
server external IP address and a data payload having an 
encoded port command having a server internal IP address • and 
a server data port number; 

a codec operable to decode the port command; 

a translation module operable to retrieve the server 

external IP address from the header and to generate a 
modified port command including the external IP addresses ; 
and 

the server operable to establish a second channel based 
on the modified port command. . . 

. . . each of the 

client and the server. 

The client of Claim 6, further comprising a file 

transfer protocol ( FTP ) communication module wherein the 
communication session between the server and the client over 
the second channel is conducted in secure FTP . 

10 The client of Claim 6, wherein the codec is 
operable to decode based on. . . 
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. . . first socket 518, during which routing they are translated at a packet 
level by the NAT component 5 1 0 of the PNAT device. 5 02, so that the 
identifier of the client 504, such as the private IP address of the 



client 504, is re-inserted into the packets, taking the place, for 
example, of the public IP address that the private IP address was 
I 1 

previously translated to, and the source is set to be the server... 
...stream is used to exchange addresses of another stream. Example 

protocols in this regard include File Transfer Protocol ( FTP ) , as 
well as most media streaming protocols. These protocols require specific 
editing for traversing NAT , as can be appreciated by those of ordinary 
skill within the art. 

It is also noted that each of the proxy component 508 and the NAT 
component 5 10 can in varying embodiments be software, hardware, or a 
combination of . . . 
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Detailed Description 

subnet is smaller of part of a larger network using a similar network 
addressing scheme. 

Network Address Translation ("NAT") has been proposed to extend the 
lifetime of Internet Protocol version 4... 

. . . few dozen nodes or devices because of the computational and other 
resources required. Network address translation potentially requires 
support for many different application layer internal network protocols 
be specifically programmed into a translation mechanism such as a 



network address translation router . 



Computational burdens placed on a network address translation 

router may be 
I if 

s gm icant and degrade network performance, especially if several 
network address translation -enabled sub-networks share the same 
network address translation router. 

In a worst case scenario, a network address translation router 
translates every inbound and data packet . 



